Comment on page
Signatures
Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key
, and the public key is the spending public key
.
Spelled out, signing takes as input a message hash
and proceeds as follows:
- 1.
- 2.(derive the signing secret key from the spending key)
- 3.(extract 32 bytes of entropy from the spending key)
- 4.(sample another 32 random bytes)
- 5.("reduce" hash output into, using extra entropy fromaddition to the rng)
- 6.(the rest is a "standard" Schnorr signature)
- 7.
- 8.
- 9.The signature is the pair
To verify, we take as input the message
and signature
and do the following (this is the standard verification procedure):
- 1.
- 2.
- 3.
- 4.
- 5.Accept the signature if. Reject it otherwise.
The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).
Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:
- 1.Poseidon is a random oracle
- 2.The discrete log problem is infeasible in Baby Jubjub
Last modified 3mo ago